Vendors always have been one of the most worrisome parts of HIPAA security because hospitals and health systems must rely on them for the appropriate technological and physical security for protected data — without the ability to dictate exactly how.